# Group And Sort Entities

It is a common hunting task to group or sort entities in a variable to gain insight into the entities and orgainze the follow-up hunt steps.

## What you will learn

0. How to group or sort entities?
1. How to `GROUP` entities by an attribute?
2. How to `GROUP` entities by multiple attributes?
3. How to use aggregation functions in `GROUP`?
4. How to `SORT` entities before display?
5. Exercise: group processes by binary/image and count PIDs

### 0. How to gain aggregated information of entities?

Use the [GROUP](https://kestrel.readthedocs.io/en/latest/language.html#group) command to group entities in a variable. The command will create new attributes on the entities to summarize the groups, e.g., `unique_attrY` when groupped by attribute `attrX`.

Use the [SORT](https://kestrel.readthedocs.io/en/latest/language.html#sort) command to sort entities in a variable. Most of the time the order of entities in a variable does not matter, except you try to display them.

### 1. How to `GROUP` entities by an attribute?

In [1]:
conns = GET network-traffic
        FROM file:///tmp/lab101.json
        WHERE [network-traffic:dst_port > 0]
        
src_grps = GROUP conns BY src_ref.value

DISP src_grps

src_ref.value,unique_dst_port,unique_dst_ref.value,unique_src_port,unique_protocols,unique_x_opened_connection_of_ref.name,unique_x_opened_connection_of_ref.pid,unique_x_opened_connection_of_ref.binary_ref.name,unique_x_opened_connection_of_ref.binary_ref.parent_directory_ref.path,unique_x_opened_connection_of_ref.creator_user_ref.user_id,unique_x_opened_connection_of_ref.creator_user_ref.account_login,unique_x_opened_connection_of_ref.x_opened_connection_count,first_observed,last_observed,number_observed
10.16.100.223,1,1,1,1,1,1,1,1,1,1,1,2021-04-03T01:45:32.857Z,2021-04-03T01:45:32.857Z,1
10.171.5.141,5,4,23,5,1,3,1,1,3,3,1,2021-04-03T00:01:55.417Z,2021-04-03T01:59:56.404Z,29
10.184.147.141,3,7,17,3,1,3,1,1,3,3,1,2021-04-03T00:12:27.129Z,2021-04-03T01:57:47.340Z,30
224.0.0.251,1,27,1,1,1,1,1,1,1,1,1,2021-04-03T00:00:25.098Z,2021-04-03T01:58:52.924Z,64
224.0.0.252,169,6,1,1,1,1,1,1,1,1,1,2021-04-03T00:01:00.754Z,2021-04-03T01:59:42.719Z,169
ff02:0:0:0:0:0:0:fb,1,18,1,1,1,1,1,1,1,1,1,2021-04-03T00:02:05.200Z,2021-04-03T01:58:52.924Z,42
ff02:0:0:0:0:0:1:3,169,6,1,1,1,1,1,1,1,1,1,2021-04-03T00:01:00.746Z,2021-04-03T01:59:42.719Z,169

VARIABLE,TYPE,#(ENTITIES),#(RECORDS),directory*,file*,ipv4-addr*,ipv6-addr*,mac-addr*,network-traffic*,process*,user-account*,x-ecs-destination*,x-ecs-network*,x-ecs-process*,x-ecs-source*,x-ecs-user*,x-oca-asset*,x-oca-event*
conns,network-traffic,504,504,504,504,1594,926,504,0,504,504,504,504,504,504,504,504,504
src_grps,network-traffic,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0


### 2. How to `GROUP` entities by multiple attributes?

In [2]:
src_dst_grps = GROUP conns BY src_ref.value, dst_ref.value

DISP src_dst_grps ATTR src_ref.value, dst_ref.value, unique_src_port, unique_dst_port

src_ref.value,dst_ref.value,unique_src_port,unique_dst_port
10.16.100.223,10.171.5.141,1,1
10.171.5.141,10.0.10.50,8,1
10.171.5.141,10.0.18.50,8,1
10.171.5.141,10.171.5.22,1,1
10.171.5.141,10.22.254.211,6,3
10.184.147.141,10.0.77.54,1,1
10.184.147.141,10.162.185.211,1,1
10.184.147.141,10.184.147.22,12,1
10.184.147.141,104.97.85.29,1,1
10.184.147.141,104.97.85.50,1,1

VARIABLE,TYPE,#(ENTITIES),#(RECORDS),directory*,file*,ipv4-addr*,ipv6-addr*,mac-addr*,network-traffic*,process*,user-account*,x-ecs-destination*,x-ecs-network*,x-ecs-process*,x-ecs-source*,x-ecs-user*,x-oca-asset*,x-oca-event*
src_dst_grps,network-traffic,0,69,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0


### 3. How to use aggregation functions in `GROUP`?

There are 6 aggregation functions you can use in the command [GROUP](https://kestrel.readthedocs.io/en/latest/language.html#group).

In [3]:
# count the number of destination IPs given a source IP
rc_grps = GROUP conns BY network-traffic:src_ref.value WITH COUNT(dst_ref.value)

DISP rc_grps

src_ref.value,count_dst_ref.value
10.16.100.223,1
10.171.5.141,29
10.184.147.141,30
224.0.0.251,64
224.0.0.252,169
ff02:0:0:0:0:0:0:fb,42
ff02:0:0:0:0:0:1:3,169

VARIABLE,TYPE,#(ENTITIES),#(RECORDS),directory*,file*,ipv4-addr*,ipv6-addr*,mac-addr*,network-traffic*,process*,user-account*,x-ecs-destination*,x-ecs-network*,x-ecs-process*,x-ecs-source*,x-ecs-user*,x-oca-asset*,x-oca-event*
rc_grps,network-traffic,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0


In [4]:
# rename the count attribute as you like
rc_grps_renamed = GROUP conns BY network-traffic:src_ref.value WITH COUNT(dst_ref.value) AS dst_count

DISP rc_grps_renamed

src_ref.value,dst_count
10.16.100.223,1
10.171.5.141,29
10.184.147.141,30
224.0.0.251,64
224.0.0.252,169
ff02:0:0:0:0:0:0:fb,42
ff02:0:0:0:0:0:1:3,169

VARIABLE,TYPE,#(ENTITIES),#(RECORDS),directory*,file*,ipv4-addr*,ipv6-addr*,mac-addr*,network-traffic*,process*,user-account*,x-ecs-destination*,x-ecs-network*,x-ecs-process*,x-ecs-source*,x-ecs-user*,x-oca-asset*,x-oca-event*
rc_grps_renamed,network-traffic,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0


### 4. How to `SORT` entities before display?

It is a common hunting practice to sort entities based on an attribute such as count or timestamp.

In [5]:
rc_grps_renamed_sorted = SORT rc_grps_renamed BY dst_count

DISP rc_grps_renamed_sorted

src_ref.value,dst_count
224.0.0.252,169
ff02:0:0:0:0:0:1:3,169
224.0.0.251,64
ff02:0:0:0:0:0:0:fb,42
10.184.147.141,30
10.171.5.141,29
10.16.100.223,1

VARIABLE,TYPE,#(ENTITIES),#(RECORDS),directory*,file*,ipv4-addr*,ipv6-addr*,mac-addr*,network-traffic*,process*,user-account*,x-ecs-destination*,x-ecs-network*,x-ecs-process*,x-ecs-source*,x-ecs-user*,x-oca-asset*,x-oca-event*
rc_grps_renamed_sorted,network-traffic,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0


### 5. Exercise: group processes by binary/image and count PIDs

Copy the huntflow of **1. How to `FIND` child processes of processes?** from tutorial huntbook **3. Find Connected Entities.ipynb** into the cell below and reexecute the huntflow. Then write a new follow-up hunt step in the next cell to group `scheduled_tasks` by its binary image and count how many processes are executed per each binary on disk.

Tip: the binary image attribute of a process is `binary_ref.name`.\
Tip: use the PID (process attribute: `pid`) as an unique identifier for a process instance executed from the binary.